If last weekend’s unsolicited posting of about 10,000 supposed Hotmail addresses and passwords to a legitimate developers’ Web site did not contain some addresses that were fake, the theory that a hacker may have obtained those addresses through an attack on Microsoft’s servers might continue to hold water. That theory lost ground today, after more addresses from major services other than Hotmail — including Gmail, Yahoo, AOL, Earthlink, and Comcast — appeared without warrant on Pastebin.com, a site for developers to share debugging information.
In what could be the first publicly shared forensic report on the original Hotmail list, security researcher Bogdan Calin with server security software maker Acunetix reported that of the 10,028 entries that appeared in that list (which was apparently partial, including usernames that only began with A and B), 185 of the entries actually had blank passwords. That in and of itself could not have come from a server’s own list of valid passwords, thus lending much credence to the theory that the responses came from a phishing scam.
But not a very sophisticated one, Calin goes on. Without revealing information that would have compromised anyone in particular, he reported that the most commonly repeated passwords he saw in the list, coupled with the nature of the remaining passwords, leads him to conclude that they were obtained from members of the Hispanic community. The password alejandra, for example, appeared 11 times in the list — once more than 111111 — and alejandro appeared 9 times.
From time to time, many sequences of password characters appear almost repeated, except with varying capitalization. “What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong,” Calin wrote. An unsophisticated phisher might have accepted every attempt at repeating a password in sequence; meanwhile, the unsuspecting victim is trying to log in, thinking, “Didn’t I capitalize the O?”
Paul Dixon, who maintains Pastebin.com, told the press yesterday he’s had to take his site down to address the problem more directly, saying, “Pastebin.com is just a fun side project for me, and today it’s not fun.” This morning, the site was operational.
Though Dixon’s site bears a strong resemblance to Pastebin.org, which has the exact same purpose, users of the latter site — which was not involved in the list-posting incident — began complaining to Dixon last month about problems they were having with that site, not knowing the two were not connected. In a blog post at the time, Dixon wrote that Pastebin.org “seems to have been compromised in other ways, with extra advertising banners and popups…I’m not responsible for that site.”
Possible confusion over the two sites’ identities could play into the motive for the unknown party posting these apparent phishing entries onto a site that otherwise has perfectly legitimate purposes.
As of yet, there is no evidence that anyone — the original poster or any downloaders — has attempted to use any of the partial lists posted to Pastebin.com in a security compromise operation directed at password holders. However, the possibility exists that these lists were posted as evidence of the existence of more complete lists, for inspection by underground sources willing to bid for them. After Bogdan Calin’s analysis, the bidding may not be all that high.